The risk management function has been likened to a lighthouse – always on the watch to make sure nothing goes wrong and lighting the way for everyone so they can navigate the safest path. However, this presupposes that the captain of the ship has taken accountability for ensuring that the ship is seaworthy, all personnel on board are competent and trained, any passengers have been provided with safety information and sufficient due diligence has been undertaken to understand the impact of the weather, allow for the vagaries of the sea and ensure that the communications equipment on board the ship will function when needed so that the captain can communicate with the lighthouse operator.
And we would all expect that a reasonable and semi-competent captain would have taken steps to make sure this is the case. So, in a corporate environment, does the same principle hold true? As a risk management function, are we satisfied that our role is to guide the business when danger is looming or do we think we need to step into the captain’s shoes and do everything that the captain ought to do? And what is the expectation from the business of the risk management function?
You might say that this would depend on any number of factors – how much does the captain care about passenger safety, what is the captain’s appetite for risk, are there any other constraints on the captain… the list is endless.
But what it ultimately comes down to is who is accountable for risk management decisions. In the majority of cases, this would be the same individual who is accountable for running the business. After all, a business can only successfully be run and be self-sustaining if it is run in light of the risks that impact it, not despite the risks.
So then, why are risk management frameworks, policies, procedures written by the risk management function using technical risk jargon, reviewed by the risk management community and rolled out to risk managers? Wouldn’t it be more constructive to work with senior executives to come up with a simple set of principles that can be incorporated by the business into existing business processes and therefore ensure that risk management is embedded? If the answer is yes, that risk management is the business’ responsibility, then what should the role of the risk management function be? Perhaps the answer is that just like engineers, navigators, meteorologists and other specialists who assist the captain of a ship to understand their environment and minimise their exposure, the role of the risk management function is to translate regulatory requirements and technical risk management principles into plain English to empower and support the business in managing its own risks and make informed decisions.
The question is: as a risk management function, are we comfortable with being the lighthouse – guiding, supporting and assisting the captain to map out a course for his ship, and then calling in the coast guard if the captain chooses to take a dangerous course or gets into trouble?
Happy sailing or happy guiding? The choice is yours.